ExtraHop Debuts Policy Based Network Packet Capture

Hidden in the packet streams that traverse enterprise networks are clues that can help networking professionals to optimize networks. The traditional approach to getting network visibility has been to capture all the packets and then try and figure out what it all means.

Application Performance Management vendor ExtraHop Network is now breaking the mold of that traditional approach with a policy based approach to packet capture and network visibility.

Erik Giesa, Senior VP of Marketing at ExtraHop told EnterpriseNetworkingPlanetthat the traditional approach to packet capture produces a lot of data and a lot of noise. The ExtraHop approach is an attempt to be more targeted and specific.

"We have created a dynamic ring buffer that in essence can replay traffic," Giesa said. "So all the traffic comes in and we store in the ring buffer continuously, the last one million packets."

From a policy perspective, when an error occurs a targeted packet capture can be triggered to help figure out what went wrong. Giesa explained that when the error trigger occurs, the ExtraHop system goes back into the previous million packets to find the specific offending packets from the application flow that caused the error event.

"It's like finding a snowflake in an avalanche," Giesa said.

Optimizing Virtualization

One of the use cases where the ExtraHop approach can make a difference is in optimizing virtualization traffic on a network.

"In the virtual world people equate resource utilization with performance and that's a bit of a mistake," Giesa said.

He noted that virtual machines on a physical host are primarily about scheduling and sharing common physical resources. What ends up happening though in many cases is that virtual packet loss occurs. Giesa explained that when the virtualization hypervisors are doing scheduling there can be pauses that occur. Those pauses can impact the networking TCP stack with errors.

"What it means is when we see the TCP errors goes up, the TCP stack on which the virtual machine is running is unable to keep up with requests," Giesa said.

The virtual environment could potentially be running at 70 or 80 percent CPU utilization, which would lead an administrator to think that everything is working properly. That's not always the case as the errors could be manifesting themselves on the network.

"The physical host could be over-provisioned, even if it is running at proper CPU utilization," Giesa said. "The errors are happening because of the scheduling and the workloads within the virtual machine."

Giesa stressed that the ExtraHop capability to see both the inter and the intra-VM traffic is what enables the virtualization network impact analysis.

"You have to understand and see the network, the clients, the application and the virtual infrastructure," Giesa said.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.